Skip to content

Instantly share code, notes, and snippets.

@ServerlessBot
Last active December 20, 2023 16:50
Show Gist options
  • Save ServerlessBot/7618156b8671840a539f405dea2704c8 to your computer and use it in GitHub Desktop.
Save ServerlessBot/7618156b8671840a539f405dea2704c8 to your computer and use it in GitHub Desktop.
Minimum credential set for Serverless Framework
{
"Statement": [
{
"Action": [
"apigateway:*",
"cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:ExecuteChangeSet",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:UpdateStack",
"cloudformation:UpdateTerminationProtection",
"cloudformation:ValidateTemplate",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:UpdateTimeToLive",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:Describe*",
"ec2:DetachInternetGateway",
"ec2:ModifyVpcAttribute",
"events:DeleteRule",
"events:DescribeRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iot:CreateTopicRule",
"iot:DeleteTopicRule",
"iot:DisableTopicRule",
"iot:EnableTopicRule",
"iot:ReplaceTopicRule",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"lambda:*",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutSubscriptionFilter",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutObject",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe",
"states:CreateStateMachine",
"states:DeleteStateMachine"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
@ctranstrum
Copy link

I had to add "dynamodb:DescribeTimeToLive" and "dynamodb:UpdateTimeToLive" to allow the creation of a table with TTL settings.

@CGeorges
Copy link

I also needed:
"logs:PutSubscriptionFilter"
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",

@ServerlessBot
Copy link
Author

Thanks everyone for chiming in! We just updated the gist accordingly. 👍

@CGeorges
Copy link

For next update, this popped up for me
"logs:DeleteSubscriptionFilter"

@ktkaushik
Copy link

Thanks @CGeorges

@danillouz
Copy link

danillouz commented Sep 17, 2019

Thanks for this list!

Because I use a custom S3 deployment bucket, I also had to add an extra statement object to the list, with the s3:GetBucketLocation action, for deployments to succeed:

{
  "Action": [
    "s3:GetBucketLocation"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:s3:::MY_DEPLOYMENTS_BUCKET_NAME"
}

@wordtracker
Copy link

As @CGeorges commented above, if changing name of method e.g. someMethod to some_method you get:
AWSCloudFormation is not authorized to perform: logs:DeleteSubscriptionFilter on resource someMethod

Suggest add:
"logs:DeleteSubscriptionFilter"

@wordtracker
Copy link

SQS may be preferable (or additional) to SNS as per this example (not affiliated):
https://medium.com/hackernoon/how-to-setup-aws-lambda-with-sqs-everything-you-should-know-12263d8aa91e

So suggest add:
"iam:ListAttachedRolePolicies"

and some subset of:
"sqs:*"

@gotexis
Copy link

gotexis commented Nov 19, 2019

wtf is the difference between this and "AWS full access"?

@carlin-q-scott
Copy link

This is more like the maximum credential set since it requests everything Serverless might use to set up a lambda function. We can remove SNS if we don't use it, or kinesis, or iot, etc.

Only cloudformation, iam, lambda, logs, and s3 are minimum requirements.

@paul-court
Copy link

Since the title says "minimum", can this be re-edited down to an absolute minimum required to do a deployment of a simple function with no dependencies?

"Oops! A bug in serverless just deleted your production VPC" - Err, no thanks!

@ChristianUlbrich
Copy link

{
    "Statement": [
        {
            "Action": [
                "cloudformation:CancelUpdateStack",
                "cloudformation:ContinueUpdateRollback",
                "cloudformation:CreateChangeSet",
                "cloudformation:CreateStack",
                "cloudformation:CreateUploadBucket",
                "cloudformation:DeleteStack",
                "cloudformation:Describe*",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:UpdateStack",
                "cloudformation:UpdateTerminationProtection",
                "cloudformation:ValidateTemplate",
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetRole",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "lambda:*",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:GetLogEvents",
                "logs:PutSubscriptionFilter",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:PutBucketNotification",
                "s3:PutBucketPolicy",
                "s3:PutBucketTagging",
                "s3:PutBucketWebsite",
                "s3:PutEncryptionConfiguration",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

As @carlin-q-scott says the above actions are sufficient to deploy the simple helloWorld from the docs. However if you want to actually attach a HTTP endpoint, you will also need "apigateway:*". I'd bet one would restrict access to certain resources though for more security...

@divick
Copy link

divick commented Jul 10, 2020

AWS limits the policy size by default to 2048 characters, and the policy in the gist exceeds that many characters. It is giving error:

Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent

@wfraher
Copy link

wfraher commented Aug 21, 2020

I got this error:

Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent

It was fixed by removing spaces from the JSON file.

@qbiqing
Copy link

qbiqing commented Dec 17, 2020

I also needed "logs:DeleteSubscriptionFilter" to run sls remove

@joshuaquek
Copy link

So far I am using this tool to help me generate policies for my serverless projects:

https://open-sl.github.io/serverless-permission-generator/

@troggy
Copy link

troggy commented Feb 25, 2021

How the policy on "Resource": "*" could be minimal? It is not. For instance, if you host other resources on the same AWS account's S3 (e.g. website) this policy will allow to do anything with it. Including uploading a backdoor or deleting your website whatsoever.

While it is very dangerous to use this policy in production, it is a good start. But it is not minimal and should be trimmed to your account situation. The title is absolutely misleading.

@tuyendq
Copy link

tuyendq commented Jun 28, 2021

I need to add "states:TagResource"

@briskt
Copy link

briskt commented Feb 11, 2022

@gotexis, @Gargoyle, @troggy I agree completely. We use this as a Terraform template. It also could be considered a work in progress, but it does not use "*" for the Resource except where necessary. Of particular note, I have on my to-do list to add support for Cloudformation Change Sets, which was a "refactor" in Serverless version 3. This gist has ExecuteChangeSet and CreateChangeSet, but I found DeleteChangeSet is also needed. edited: Looks like DescribeChangeSet is used in the serverless code as well.

@briskt
Copy link

briskt commented Feb 11, 2022

@joshuaquek thanks for that link. Wondering why that's not linked from the Serverless docs instead of this gist.

@joshuaquek
Copy link

@schparky , sure no problem at all!
Hmm yeah I guess maybe its because the permission generator was not done by the same team that built the Serverless framework.

Side note - I have kind of moved on from serverless in general and now have been dabbling with unikernels instead haha - https://github.com/joshuaquek/expressjs-ops-unikernel

@romankurnovskii
Copy link

logs:CreateLogDelivery missed here and required in some templates

@dweemx
Copy link

dweemx commented Oct 6, 2022

cloudformation:DeleteChangeSet was missing to make the Node.JS starter app work

@joebernard
Copy link

joebernard commented Nov 4, 2022

Here is what I cobbled together for serverless Lambda deployments based on the helpful comments here. This could be improved by specifying your account id instead of allowing *. I was unsure which role should be allowed for iam:GetRole and ended up specifying * for that. If anyone knows which roles should be allowed there please comment.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "logs:DescribeLogGroups",
                "lambda:List*",
                "logs:DescribeLogStreams",
                "lambda:Get*",
                "logs:PutRetentionPolicy",
                "cloudformation:List*",
                "logs:CreateLogGroup",
                "cloudformation:ValidateTemplate",
                "cloudformation:Describe*",
                "cloudformation:Get*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:Put*",
                "events:Remove*",
                "events:Delete*"
            ],
            "Resource": [
                "arn:aws:events:us-east-1::event-source/*",
                "arn:aws:events:us-east-1:*:rule/*",
                "arn:aws:events:us-east-1:*:event-bus/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DescribeRule"
            ],
            "Resource": [
                "arn:aws:events:us-east-1:*:rule/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutAccelerateConfiguration",
                "s3:ListBucketVersions",
                "s3:CreateBucket",
                "iam:CreateRole",
                "s3:ListBucket",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "cloudformation:CreateChangeSet",
                "s3:GetBucketPolicy",
                "cloudformation:DeleteChangeSet",
                "s3:PutEncryptionConfiguration",
                "s3:GetEncryptionConfiguration",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "s3:PutBucketAcl",
                "lambda:PutFunctionEventInvokeConfig",
                "cloudformation:UpdateStack",
                "lambda:DeleteFunctionEventInvokeConfig",
                "lambda:DeleteFunction",
                "s3:DeleteBucket",
                "cloudformation:ExecuteChangeSet",
                "iam:GetRole",
                "s3:PutBucketPublicAccessBlock",
                "lambda:InvokeFunction",
                "logs:DeleteLogGroup",
                "lambda:Update*",
                "iam:DeleteRole",
                "s3:DeleteBucketPolicy",
                "lambda:AddPermission",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "s3:PutBucketPolicy",
                "lambda:PublishVersion",
                "s3:GetBucketLocation",
                "lambda:RemovePermission",
                "lambda:CreateAlias"
            ],
            "Resource": [
                "arn:aws:s3:::*",
                "arn:aws:iam::*:role/LambdaExecutionRole",
                "arn:aws:lambda:us-east-1:*:function:*",
                "arn:aws:lambda:us-east-1:*:event-source-mapping:*",
                "arn:aws:cloudformation:us-east-1:*:stack/*/*",
                "arn:aws:logs:us-east-1:*:log-group:/aws/lambda/*:*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateUploadBucket",
                "cloudformation:Describe*"
            ],
            "Resource": "arn:aws:cloudformation:us-east-1:*:stack/*/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/*"
            ]
        }
    ]
}

@yeahoffline
Copy link

yeahoffline commented Jan 7, 2023

cloudformation:DeleteChangeSet
states:TagResource
logs:TagResource

are missing for the basic node starter .... please fix...

@olivier-sabban
Copy link

olivier-sabban commented Jul 28, 2023

I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point.
Why are there so few contributions? Could it be because everyone is granting full rights ?

Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.

I suggest creating a minimum, tested roles file with proper permissions.

I'm currently working on my own configuration, and once it's complete, I will share it with the community.

@M15t
Copy link

M15t commented Aug 14, 2023

I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point. Why are there so few contributions? Could it be because everyone is granting full rights ?

Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.

I suggest creating a minimum, tested roles file with proper permissions.

I'm currently working on my own configuration, and once it's complete, I will share it with the community.

Great! Can't wait for your configuration!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment